So the HexNinja has been spending a lot of time going Phishing. Well more correctly examining phishing emails and watching them evolve and do their best to avoid SPAM detection while also gaining your confidence.
One of the questions I get asked is how the Phishing email got into our mail system without being flagged as malicious.
Besides obvious issues of SPF DKIM DMARC or lack thereof I am finding many phishing emails containing htm attachments.
They always have a great title like Remittance #763.htm or Invoice #692.htm and if your job is to process payments and balance the books and the email has come from a known contact that is a customer or supplier then the motivation to open a htm attachment is high.
Examining the contents of many htm files they don't look like human readable htm formats. To obfuscate their contents they will rely on a one or a combination of encoding to hide their true intentions and also so fool your email protection systems.
So armed with CyberChef https://gchq.github.io/CyberChef/ we can begin experimenting with how the files are encoded.
The four main techniques I am seeing are:
- URL encoding
- Base64
- Hexidecimal encoding
- Javascript packing
In this first post I will look at URL and BASE64 encoding.
In this second post I will look at Hexidecimal and Javascript packing.
The more difficult decodes involve a combination of these but lets walk before we run.
URL ENCODING
So if we open the htm file in a text editor and we see something like this
We can see that the quoted block has been url encoded and wrapped in a javascript decode function 'unescape'.
URL encoding is a way that website url and wepages can encoded special characters such as spaces %20 or other special characters. Normally a url string only encoded these special characters in but it can also be used to encode a whole string.
Basically it converts the string to bytes, encoded each byte to hex and separates each byte with a %.
Eg www.thehexninja.com would be
%77%77%77%2e%74%68%65%68%65%78%6e%69%6e%6a%61%2e%63%6f%6d
Try pasting that string into your browser and it automatically resolves to www.thehexninja.com.
We can get Cyberchef to do the heavy lifting of url decoding. We can copy all the encoded block within the quotes and paste it into Cyberchef using the URL Decode function as shown below.
This would obviously render to a simple embedded link as shown below
So we can see how this simple technique can be used to evade basic mail scanners, especially if the embedded link is not malicious such as a OneDrive, DropBox, SharePoint or a page on a another website.
Base64 Encoding
Sometimes the htm attachment contains base64 encoded sections, typically images prefixed with the type of image images/png or images/jpg
We can copy these encoded sections and paste into cyberchef (From Base 64)
We can now paste the Hex output into a hexeditor and save it as a JPG
(image/jpeg) or PNG
(image/png). The first PNG image decodes to
The second image is a JPG and renders as:
The 3rd image decodes to:
The forth image decodes to
When these images are overlayed they appear as
This is the classic spoofed Microsoft Office 365.
Hiding beneath the enticing image/webpage is the the code which basically accepts a post of the password and username in a POST to a google form, essentially capturing the victims credentials
Until next time, the hexninja says:
Stop Sneaky Phishers!
Encoding to Hide Data
Never Trust The Phish